Scale is one measure of a security challenge. The AV-Test Institute registered 100 million-plus new malicious programs during a 12-month period ending in May 2017.

Another way to gauge a security problem's severity is by its price tag. The average cost of a data breach rose from $3.8 million to $4 million in 2016, according to Ponemon Institute's "Cost of Data Breach Study." Grand View Research Inc. expects the endpoint security market to surge to a $27.05 billion valuation by 2024, up from $10.12 billion in 2015. In short, an endpoint infection that leads to a breach will have you paying at least twice.

CISOs and directors who stay apprised of advanced endpoint protection developments can make informed decisions about where to invest in this market and provide input on its course of growth. Endpoint security is making strides in behavior analytics, sandboxing and machine learning, increasing its capacity to mitigate advanced malware. These developments play a significant role in defending the enterprise against evolving threats, including ransomware.

BA builds a profile -- a baseline fingerprint -- of normal user behavior. With this baseline, vendors can detect uncharacteristic behavior. "Some manufacturers who have multiple security offerings are building user profiles based on data from across the network," said Peter Burke, CISSP, security and borderless networks technical consultant at Force 3. The robust profiles that result improve detection abilities to advance endpoint protection.

New BA systems drill down into user activities on a fine-grain level. "State-of-the-art BA looks at running processes, process changes, changes in file size or location, and users entering the kernel space and modifying things there," said Brandon McCrillis, CEO and principal consultant for Rendition Infosec.

"BA systems denote the difference between a valid and invalid person, identify bot actions and sleeper Trojans, and protect networks against patient zero scenarios," said Tim Cullen, CISSP, F5-CTS, who is senior security architect for Adapture Inc. Rather than detecting an infection, BA systems detect malicious behavior before the first infection in the hope that there won't be a patient zero.

Vendor models, BA and endpoint protection

Vendors use different models to provide BA and advanced endpoint protection. Some vendors are building new endpoint security tools by uniting their products with those of other providers. Crowdstrike has partnered with Exabeam to bring its cloud-based endpoint security to market with Exabeam's User and Entity Behavior Analytics. "Separating the analytics engine in this way means you can accept more data into the system and perform analytics on large amounts of evidence," Cullen said. You would expect such a system to get a complete picture of behaviors and threats and formulate a more thorough and comprehensive response.

Cyphort has formed partnerships with Carbon Black and with Bradford Networks to offer solutions that include BA in endpoint security. The more vendors involved, the more the threat intelligence that you can have available for use by these systems.

There are drawbacks to multivendor systems. To operate fully in concern, vendors on both sides of the interactions will need to make software and configuration adjustments. "This can add to the installation time based on API availability and versioning needs," Cullen said. "Multivendor solutions can also be a handful to manage with regression testing and software support costs."

Single-vendor products have their advantages. "All-in-one solutions such as those from FireEye and Checkpoint have value when it comes to consolidated support and ease of integration," he said.

Antisandboxing on the rise

Malware that uses antisandboxing and antivirtual machine techniques -- typically, sandboxes are virtual environments -- detects evidence that it is in a sandbox. This evidence has included anything that could be present in a virtual machine or sandbox such as certain files or registry keys. "We have seen malware that checks process lists to identify sandboxing binaries," said Brandon McCrillis, CEO and principal consultant at Rendition Infosec.

Brandon McCrillis

When malware detects that it is in a sandbox, it can go dormant or "sleep" so that the sandboxing technology has little to analyze. Some malware starts out latent and revives later to circumvent discovery by sandboxes. This ability allows the same malware to remain productive longer because no one has identified it. "Endpoint security counters malware that sleeps by moving time forward on the system to trick the malware into waking up," McCrillis said.

Other malware runs in memory and does not create, save or execute any new files and thus avoids sandboxes altogether. Advanced malware has many methods for countering sandboxes. Enterprises should consider endpoint security vendors who update their sandboxing technology on a continuous basis to successfully cope with advanced malware's evolving sandbox detection, response and evasion methods.

Sandboxing differences and updates

Peter Burke

Endpoint security uses virtual bubbles called sandboxes to run and study threats without affecting systems external to the sandbox. These endpoint security tools learn how to better defend systems from experiments. "Sandboxing technologies vary between every manufacturer, depending on whether they deliver these on premises or as hybrid or cloud-based solutions and based on the operating systems used, the versioning of the software and what software each tests against," Burke said.

Some sandboxes run on separate appliances, and some use software agents on the endpoint. Separating the malware further from the production environment or business network by using appliances adds a layer of protection for the enterprise. "Sandboxes that run in local device agents add risk that the threat could infect the corporate network," Cullen said.

There are no silver bullets in security with a human opponent, but with the help of machines, the [time to respond] and [time to protect] come that much closer to actual 'patient zero protection.'
Mike Spanbauervice president of strategy, NSS Labs

The newest sandboxes simulate multiple OSes to see how threats affect different systems; this is essential for most enterprises, which must support various endpoints and OSes. Vendors that centralize sandboxing services in the cloud can efficiently collect new threat information and quickly disperse it to all their customers.

This cloud-based approach provides advanced endpoint protection even when a new attack has not yet hit your organization. This model is more expedient than waiting for an external publisher of new threat intelligence to collect threat data, process it and send it on to you. Still, external threat intelligence is necessary, as another vendor may see and publish a threat before your vendor does.

The latest sandboxes integrate directly with BA and security event monitoring and alerting technologies. This integration increases the effectiveness of all these technologies and gives BA an additional, direct source of behavioral intelligence. These kinds of sandboxes are often called secure containers.

Modern threats can determine whether they are in a sandbox by trying to ping Google's IP address. In response, new endpoint security products' sandboxes allow that threat to ping that external address. "Sandboxes that enable that granular approval of traffic escaping are useful to trick the malware into thinking it's not in a sandbox," McCrillis said. (See sidebar for more on advanced malware's antisandboxing maneuvers.)

Comprehensive sandboxing is intuitively preferable for advanced endpoint protection. Sandboxing approaches that address the many attack vectors of file, memory and process exploits offer more efficacy than single-vector methods such as browser-based isolation of threats, said Mike Spanbauer, vice president for strategy at NSS Labs.

With this idea, computers and programs police themselves based on adaptive parameters of both pattern matching and quick inferences about new patterns, according to Spanbauer. "There are no silver bullets in security with a human opponent, but with the help of machines, the [time to respond]) and [time to protect] come that much closer to actual 'patient zero protection,' which is arguably the holy grail for endpoint protection," Spanbauer said.

Endpoint security fights ransomware

Ransomware can be polymorphic or metamorphic, meaning that it can change its code as it propagates to avoid detection. Metamorphic malware uses algorithms to change its code with each infection. Polymorphic code typically changes part of its system while some essential mechanism or component may be static.

Tim Cullen

According to Cullen at Adapture, endpoint security vendors are creating products that defend the enterprise against mutating ransomware by merging technologies like machine learning, behavioral analysis, file system monitoring and process monitoring. Though the ransomware recodes itself, its behavior is apparent, enabling these new techniques to distinguish it from benign software.

Building endpoint security intelligence

To detect and respond to an increasing number of altogether new malware strains, endpoint security must gather and analyze large data sets of behavioral information in real time, apply machine learning to think through the abilities and intents of suspect files and processes, and create and execute counteractive measures. "Endpoint security software must find meaning in massive amounts of data from a wide variety of sources; analysis on this scale is not easy, and this is where machine learning is essential," Burke said.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.